I've been giving some serious thought to improving the available
mechanisms for increasing the security of NetBSD and it occurred
to me that rather than trying to replace anything or add a set
type of security to NetBSD in a fixed way, that a "security
infrastructure" should be added and supported in such a way that
would allow different security controls to be applied and used
with NetBSD, depending on what security library it was linked
with or which LKM was loaded.  An example place for a generic
hook that a security module might make use of is in front of
all system calls.  I'm not sure that allowing more than one at
a time is useful (in terms of performance or sanity).  If the
requirement is to link a library rather than LKM, then there's
a minor performance win.

Note, this is to augment, not replace securelevel or any of the
other security mechanisms already in place within NetBSD.

Also, this is not an effort to implement Orange Book B-level security,
although it might help that(?).

Thoughts ?

Darren